2

I have followed the directions for the recommended method of separating containers issued here: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion by creating a docker-compose.yml file as follows:

version: '3'

services:
  nginx-proxy:
    image: nginx
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - nginx-conf:/etc/nginx/conf.d
      - nginx-vhost:/etc/nginx/vhost.d
      - nginx-html:/usr/share/nginx/html
      - ./ssl:/etc/nginx/certs:ro
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"

  nginx-gen:
    image: jwilder/docker-gen
    container_name: nginx-gen
    command: -notify-sighup nginx -wait 5s:30s -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
      - nginx-conf:/etc/nginx/conf.d
      - nginx-vhost:/etc/nginx/vhost.d
      - nginx-html:/usr/share/nginx/html
      - ./ssl:/etc/nginx/certs:ro
    links:
      - nginx-proxy

  nginx-letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nginx-letsencrypt
    volumes:
      - /path/to/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - nginx-conf:/etc/nginx/conf.d
      - nginx-vhost:/etc/nginx/vhost.d
      - nginx-html:/usr/share/nginx/html
      - ./ssl:/etc/nginx/certs:rw
    environment:
      NGINX_DOCKER_GEN_CONTAINER: nginx-gen
      ACME_CA_URI: https://acme-staging.api.letsencrypt.org/directory
    links:
      - nginx-proxy
volumes:
  nginx-conf:
  nginx-vhost:
  nginx-html:

however, when running the nginx-letsencrypt container I get the following errors:

$ docker logs nginx-letsencrypt

Sleep for 3600s
2017/04/26 18:19:37 Generated '/app/letsencrypt_service_data' from 9 containers
2017/04/26 18:19:37 Running '/app/update_certs'
2017/04/26 18:19:37 Watching docker events
Reloading nginx proxy (using separate container nginx-gen)...
Creating/renewal sandbox.graph.speakr.com certificates... (sandbox.graph.speakr.com)
2017/04/26 18:19:37 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/update_certs'
2017-04-26 18:19:38,011:INFO:simp_le:1211: Generating new account key
2017-04-26 18:19:40,038:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-04-26 18:19:40,875:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
2017-04-26 18:19:41,748:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): sandbox.graph.speakr.com
2017-04-26 18:19:41,834:WARNING:simp_le:1303: sandbox.graph.speakr.com was not successfully self-verified. CA is likely to fail as well!
2017-04-26 18:19:41,949:INFO:simp_le:1313: Generating new certificate private key
2017-04-26 18:19:43,495:ERROR:simp_le:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-staging.api.letsencrypt.org/acme/authz/iAD9-HSmyVGb_kHwt0aLDRQHycIJzT3JooxEOTiTp48
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
Sleep for 3600s

additionally (here's it's less clear to me what I should see):

$ ls -r ssl
total 8
drwxr-xr-x 2 root root 4096 Apr 26 06:04 sandbox.graph.speakr.com/
-rw-r--r-- 1 root root  424 Apr 26 06:04 dhparam.pem

which shows the sandbox directory is empty

I see from this article: https://github.com/dmp1ce/nginx-proxy-letsencrypt/issues/18 that there are similar issues (to which I see no resolution) but my case is pretty straightforward

what could be the issue here?

-- relevant info --

Docker version 17.03.0-ce, build 3a232c8

docker-compose version 1.11.2, build dfed245

Linux ip-10-0-3-113 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

jrcs/letsencrypt-nginx-proxy-companion (image): "Created": "2017-04-21T12:22:44.384018601Z"

ekkis
  • 9,804
  • 13
  • 55
  • 105
  • I don't really have an answer besides double check your environment variables, DNS and volumes configuration. It looks like you resolved the issue by recreating the volumes. Obviously, the volumes need to be mounted correctly for the system to work but I couldn't explain why the volumes would have been wrong in the first place. Perhaps a feature request for better error messages is in order for https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion if many people are running into similar issues. – Dave Apr 27 '17 at 13:13

1 Answers1

4

well, for one thing I noticed I had mounted the path to the certs for nginx-letsencrypt twice (one leftover entry from the example). I fixed that but it didn't help

the fix seemed to be to remove the volumes and re-add them. something got weird, perhaps in the order in which I ran the containers, or all the experimentation. so I've moved on but I'm not sure I know what the problem was

$ docker volume rm nginx-conf nginx-vhost nginx-html
ekkis
  • 9,804
  • 13
  • 55
  • 105